§6.2: ${\mathbb F}_2$-polynomials

We began our study of boolean functions in Chapter 1.2 by considering their polynomial representations over the real field. In this section we take a brief look at their polynomial representations over the field ${\mathbb F}_2$, with $\mathsf{False}$, $\mathsf{True}$ being represented by $0, 1 \in {\mathbb F}_2$ as usual. Note that in the field ${\mathbb F}_2$, the arithmetic operations $+$ and $\cdot$ correspond to logical XOR and logical AND, respectively.

Corollary 22 Let $f : \{\mathsf{False}, \mathsf{True}\}^n \to \{\mathsf{False}, \mathsf{True}\}$. Then $\deg_{{\mathbb F}_2}(f) = n$ if and only if $f(x) = \mathsf{True}$ for an odd number of inputs $x$.

The proof of Proposition 21 is left for the exercises; Corollary 22 is just the case $S = [n]$. You can also directly see that $c_{[n]} = \sum_x f(x)$ by observing what happens with the monomial $x_1x_2 \cdots x_n$ in the interpolation \eqref{eqn:interp-f2-a},\eqref{eqn:interp-f2-b}.

Given a generic boolean function $f : \{\mathsf{False}, \mathsf{True}\}^n \to \{\mathsf{False}, \mathsf{True}\}$ it’s natural to ask about the relationship between its Fourier expansion (i.e., polynomial representation over ${\mathbb R}$) and its ${\mathbb F}_2$-polynomial representation. In fact you can easily derive the ${\mathbb F}_2$-representation from the ${\mathbb R}$-representation. Suppose $p(x)$ is the Fourier expansion of $f$; i.e., $f$’s ${\mathbb R}$-multilinear representation when we interpret $\mathsf{False}$, $\mathsf{True}$ as $\pm 1 \in {\mathbb R}$. From Exercise 1.10, $q(x) = \tfrac{1}{2} – \tfrac{1}{2} p(1-2x_1, \dots, 1-2x_n)$ is the unique ${\mathbb R}$-multilinear representation for $f$ when we interpret $\mathsf{False}$, $\mathsf{True}$ as $0, 1\in {\mathbb R}$. But we can also obtain $q(x)$ by carrying out the interpolation in \eqref{eqn:interp-f2-a}, \eqref{eqn:interp-f2-b} over ${\mathbb Z}$. Thus the ${\mathbb F}_2$ representation of $f$ is obtained simply by reducing $q(x)$’s (integer) coefficients modulo $2$.

We saw an example of this derivation above with $\chi_{[3]}$. The $\pm 1$-representation is $x_1x_2x_3$. The representation over $\{0,1\} \in {\mathbb Z} \subseteq {\mathbb R}$ is $\tfrac{1}{2} – \tfrac{1}{2} (1-2x_1)(1-2x_2)(1-2x_3)$, which when expanded equals \eqref{eqn:chi3Z} and has integer coefficients. Finally, we obtain the ${\mathbb F}_2$ representation $x_1+x_2+x_3$ by reducing the coefficients of \eqref{eqn:chi3Z} modulo $2$.

One thing to note about this transformation from Fourier expansion to ${\mathbb F}_2$-representation is that it can only decrease degree. As noted in Exercise 1.12, the first step, forming $q(x) = \tfrac{1}{2} – \tfrac{1}{2} p(1-2x_1, \dots, 1-2x_n)$, does not change the degree at all (except if $p(x) \equiv 1$, $q(x) \equiv 0$). And the second step, reducing $q$’s coefficients modulo $2$, cannot increase the degree. We conclude:

This proposition was shown by Siegenthaler, a cryptographer who was studying stream ciphers; his motivation is discussed further at the end of this chapter. More generally, Siegenthaler proved the following result (the proof does not require Fourier analysis):

Proof: Pick a monomial $x^J$ of maximal degree $d = \deg_{{\mathbb F}_2}(f)$ in $f$’s ${\mathbb F}_2$-polynomial representation; we may assume $d > 1$ else we are done. Make an arbitrary restriction to the $n-d$ coordinates outside of $J$, forming function $g : {\mathbb F}_2^J \to {\mathbb F}_2$. The monomial $x^J$ still appears in $g$’s ${\mathbb F}_2$-polynomial representation; thus by Corollary 22, $g$ is $1$ for an odd number of inputs.

Let us first show Proposition 24. Assuming $f$ is $k$-resilient, it is unbiased. But $g$ is $1$ for an odd number of inputs so it cannot be unbiased (since $2^{d-1}$ is even for $d > 1$). Thus the restriction changed $f$’s bias and we must have $n-d > k$, hence $d \leq n-k-1$.

Suppose now $f$ is merely $k$th-order correlation immune. Pick an arbitrary input coordinate for $g$ and suppose its two possible restrictions give subfunctions $g_0$ and $g_1$. Since $g$ has an odd number of $1$’s, one of $g_0$ has an odd number of $1$’s and the other has an even number. In particular, $g_0$ and $g_1$ have different biases. One of these biases must differ from $f$’s. Thus $n-d+1 > k$, hence $d \leq n-k$. $\Box$

We end this section by mentioning another bound related to correlation immunity:

The proof of this theorem (left to the exercises) uses the Fourier expansion rather than the ${\mathbb F}_2$-representation. The bounds in both Siegenthaler’s Theorem and Theorem 25 can be sharp in many cases; this is also explored in the exercises.